# # Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved. # # # ikev2.config - Configuration file for the IKEv2 daemon # # This file should be edited using pfedit(1M) as a user assigned # "Network IPsec Management" profile. It is not recommended to edit this # file directly as root. pfedit(1M) will preserve the correct ownership # of this file as userid "ikeuser". # # See rbac(5) for information on assigning a rights profile to delegate # administrative control. # # This file contains a very simple example of a configuration file for # the IKEv2 daemon. This example will allow the IKEv2 daemon to provide keying # material between the two hosts shown in the rule below. # # Consult the man page for ikev2.config(4) for details or more complicated # examples. # # To enable IKEv2, modify this file to reflect your configuration and # enable the IKEv2 service: # # svcadm enable svc:/network/ipsec/ike:ikev2 # # Note: IKE provides keying material for IPsec. The IPsec policy is not # configured here, see /etc/inet/ipsecinit.sample or ipsecconf(1M). The # cryptographic algorithms listed in this file are to protect the IKE # exchanges. They are not necessarily the same as those used by IPsec. # # # Preshared key example #{ # label "Example using preshared keys" # auth_method preshared # local_addr 10.0.0.1 # remote_addr 10.0.0.2 # ikesa_xform { dh_group 14 auth_alg sha256 encr_alg aes } #} # # # The above rule requires preshared key for authentication. # Add the following to /etc/inet/ike/ikev2.preshared # # For more details, see the ikev2.preshared(4) man page. # #{ # label "Example using preshared keys" # key "This is my secret key string" #} # # Certificate example #{ # label "Example using certificates" # # auth_method cert # # Notice the "DN ="; all certspecs are prepended with "TYPE=" # local_id EMAIL = "joe@nowhere.net" # remote_id DN = "C=US, ST=MA, O=Sun, OU=QA, CN=master" # remote_addr 10.0.1.95 # local_addr 10.0.1.93 # ikesa_xform { dh_group 21 auth_alg sha512 encr_alg aes } #} # # The above rule requires certificates for authentication. # Certificates are administered using the ikev2cert(1M) command, # which operates on the IKEv2 PKCS#11 keystore. See pkcs11_softtoken(5) # for details. #